This week, T-Mobile Austria admitted that it stores part of customer passwords in plain text. “The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for mein.t-mobile.at”, a T-Mo Austria rep explained. Many T-Mobile US customers are wondering if their carrier does the same thing, but T-Mo says that it does not.
T-Mobile US tells me that it does not store passwords in plain text. “T-Mobile US applies strong security controls to customer passwords or PIN codes,” T-Mo told me in an e-mailed statement. “T-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text.” T-Mo went on to confirm that it does not store any part of a customer’s password in plain text.
T-Mobile CEO John Legere echoed that statement on Twitter:
Can’t I do both? @TMobile US customer care reps can’t see passwords, nor are they stored in plain text.
— John Legere (@JohnLegere) April 6, 2018
While T-Mobile Austria has touted that it has “amazingly good” security, it can still be unsettling for customers to know that even part of their passwords are being stored in plain text. Customers’ accounts store a lot of sensitive data, and so if a breach were to happen, it would be a big deal for those customers. The good news is that T-Mobile US customers now know that their passwords are secure.